Complete deployment manual

Install and configure LexyBox

This guide covers a clean LexyBox server installation, database import, PHP configuration, Plex connection, admin-panel setup, Android app connection, security hardening, and the complete feature set.

Private media only: Use LexyBox only with Plex servers and media you are authorized to access.

Server Requirements

Web server

Apache or Nginx with HTTPS enabled.

PHP

PHP 8.1+ with PDO MySQL, JSON, OpenSSL, cURL/URL access, and mbstring recommended.

Database

MySQL 8.0+ or a compatible MariaDB release.

Plex

A reachable Plex Media Server URL and valid owner token.

Storage

Writable admin/uploads folder for images and splash videos.

Android customization

Java/JDK, Apktool, zipalign, and apksigner for modifying the supplied compiled APK.

Important Package Files

Path	Purpose
`database/schema.sql`	Main database installer. You may rename it to `lexybox.sql` before distributing it.
`backend/config/config.php`	Database credentials, application URLs, and server-side secrets.
`backend/api/index.php`	Main API endpoint and router.
`admin/login.php`	Admin panel login page.
`LexyBox.apk`	Compiled Android application supplied to the customer. It must be decompiled and configured with the customer's panel URL.

1. Create and Import the Database

Create a new empty database and database user.
The supplied SQL uses the database name lpplayer. Create it with that name, or edit the first CREATE DATABASE and USE lines in the SQL file before importing. Give the database user full permissions for that database.

Import database/schema.sql (or your renamed lexybox.sql).
In phpMyAdmin: select the new database, choose Import, select the SQL file, then start the import.

Confirm the required tables exist.
You should see tables including users, settings, messages, auth_tokens, and registration_codes. Other tables are created or upgraded automatically when their features are used.

mysql -u YOUR_DATABASE_USER -p YOUR_DATABASE_NAME < database/schema.sql

Important: The supplied SQL may contain example or previous Plex settings. After import, immediately save your own Plex URL and token from the admin panel.

2. Upload the Web Files

Upload the backend and admin folders under the same website root. A typical layout is:

public_html/
└── lexybox/
    ├── backend/
    │   ├── api/
    │   ├── config/
    │   ├── controllers/
    │   └── tools/
    └── admin/
        ├── assets/
        └── uploads/

Ensure the web-server user can write to admin/uploads. Keep backend/config/config.php private and never expose it as plain text.

3. Edit the PHP Configuration

Open backend/config/config.php and replace all database credentials, URLs, and secret values.

define('DB_HOST', 'localhost');
define('DB_PORT', '3306');
define('DB_NAME', 'lexybox');
define('DB_USER', 'lexybox_user');
define('DB_PASS', 'USE_A_STRONG_DATABASE_PASSWORD');

define('APP_URL',   'https://your-domain.com/lexybox/backend');
define('ADMIN_URL', 'https://your-domain.com/lexybox/admin');

define('JWT_SECRET',    'GENERATE_A_NEW_RANDOM_SECRET');
define('STREAM_SECRET', 'GENERATE_A_DIFFERENT_RANDOM_SECRET');

Generate secure secrets

php -r "echo bin2hex(random_bytes(32)), PHP_EOL;"

Never place your Plex token, database password, JWT secret, or stream secret in public documentation, screenshots, APK debug text, or client-side code.

Test the API

https://your-domain.com/lexybox/backend/api/index.php?route=settings

A JSON response confirms that PHP routing and the database connection are working.

4. Connect Your Plex Server

Open https://your-domain.com/lexybox/admin/login.php.

Open Plex Settings and enter the complete Plex server URL, including https:// and the port when required.

Enter your Plex owner token and press the connection-test button.

Configure Plex Libraries Order, including movie, TV-show, kids, language, and favorites libraries.

Refresh metadata/cache and confirm that the real Plex library names and item counts appear.

Finding a Plex token: Sign in to Plex Web, open an item, choose Get Info, select View XML, and locate the X-Plex-Token parameter. Treat this token like a password.

5. Secure and Configure the Admin Panel

Default administrator: username admin, password admin123. Change it immediately in App Settings → Admin Account Security.

Set the application name and theme.
Enable or disable public registration.
Configure activation codes and allowed usage count.
Set maintenance mode and DEV login permissions.
Configure splash-screen video and enable switch.
Configure default subtitle style for new users.
Set movie/series details-card layout.
Select the main-screen theme.
Create users, moderators, and administrators.
Set account expiry and connection limits.
Configure app update releases.
Back up the portable intro/outro marker database.

6. Configure the Compiled Android APK

Customers receive a compiled APK, not the original Android source code. The compiled APK must be decompiled, configured with the customer's panel/API URL, rebuilt, aligned, and signed.

Make a backup first. Keep an untouched copy of the original supplied APK and securely save the signing keystore used for every release.

Required tools

Java/JDK 17 or newer
Apktool
Android SDK Build Tools containing zipalign and apksigner
A text editor that can search all files in a folder

Step A — Decompile the supplied APK

java -jar apktool.jar d LexyBox.apk -o LexyBox-decompiled

Step B — Find the existing server address

Search every file inside LexyBox-decompiled for the word smazze. Replace every LexyBox server/API URL belonging to that host with your own installation URL.

Windows PowerShell search:

Get-ChildItem -Path .\LexyBox-decompiled -Recurse -File |
  Select-String -Pattern 'smazze' |
  Select-Object Path, LineNumber, Line

Linux/macOS search:

grep -Rni "smazze" LexyBox-decompiled

Replace the old API address with your complete API endpoint, for example:

https://your-domain.com/lexybox/backend/api/index.php

Replace URLs only. Do not alter unrelated code, package names, resource IDs, encrypted values, or application logic. Preserve the same URL format, including https://, folder path, and index.php.

Step C — Confirm the old host is gone

Run the same search again. It should return no remaining production references to smazze.

Step D — Rebuild the APK

java -jar apktool.jar b LexyBox-decompiled -o LexyBox-unsigned.apk --use-aapt2

Step E — Align the APK

zipalign -p -f 4 LexyBox-unsigned.apk LexyBox-aligned.apk

Step F — Sign the APK

Create a signing keystore only for the first release. Save it permanently; every future update must use exactly the same keystore.

keytool -genkeypair -v -keystore lexybox-release.jks -alias lexybox -keyalg RSA -keysize 2048 -validity 10000

apksigner sign --ks lexybox-release.jks --ks-key-alias lexybox --out LexyBox-release.apk LexyBox-aligned.apk

apksigner verify --verbose --print-certs LexyBox-release.apk

Step G — Test before distribution

Install the APK on a test phone and Android TV/box.
Confirm login reaches your own panel.
Confirm Plex libraries, posters, details, and playback work.
Confirm registration, messages, subtitles, audio, and settings work.
Confirm the APK can update a previous release without uninstalling it.

Certificate warning: If an update is signed with another certificate, Android will refuse to update the installed app. Users must uninstall it first, which removes local app data. Always reuse and back up the original release keystore.

Cron, Cache, and Synchronization

Use the sync URL and security key configured in the panel when scheduling Plex synchronization. Never publish the sync key.

https://your-domain.com/lexybox/backend/api/index.php?route=plex/sync&key=YOUR_SYNC_SECURITY_KEY

Recommended cron interval: every 15–60 minutes, depending on library size. Use the panel’s cache controls after changing Plex libraries or metadata.

Complete Feature Overview

Plex library browser

Movies, series, seasons, episodes, real library names, favorites, search, genre, and studio filtering.

Multiple full layouts

Original and multiple redesigned home/details themes selectable from the panel.

TV remote navigation

Focus handling for Android TV/boxes, cards, seasons, settings, subtitle lists, and player controls.

Advanced player

Resume, play from start, seek, quality, fit, previous/next episode, subtitles, and audio-track switching.

Subtitles

Automatic/manual search, language preference, custom appearance, server defaults, ASS cleanup, and saved preferences.

Audio selection

Manual and automatic preferred-language selection with account synchronization.

Smart skip markers

Intro/outro detection, moderator markers, portable cross-server episode matching, alternate-cut duration matching, backups, and imports.

Profiles

Multiple home profiles, profile management, profile-specific favorites, watched data, and resume progress.

Account synchronization

Favorites, watched movies/episodes, subtitle preferences, audio preferences, and language restored after reinstall.

Registration controls

Enable/disable registration, activation codes, custom usage limits, unlimited codes, and expiry handling.

User controls

Roles, account expiry, suspension, connection limits, saved-data reset, and moderator permissions.

Connection enforcement

Per-account simultaneous-device limits with user-facing warnings.

Maintenance mode

Maintenance screen plus restricted DEV login for administrators and moderators.

Messages

Send/edit messages to one user or everyone, automated expiry messages, and one-time dismissal.

Activity reporting

Live viewing activity, watched duration versus total, IP address, country information, and history.

Overview dashboard

Live activity, viewing statistics, popular media, active users/platforms/libraries, and recently added content.

Media requests

User request submission and admin-side request management.

Application updates

Publish APK updates, manage versions, expire old releases, and maintain update history.

Splash video

Panel-controlled intro video with local background download/cache and main-screen preloading.

Image preloading

Poster and backdrop caching, priority loading for opened cards, and lower-quality fast backgrounds.

Localization

Automatic device-language detection, manual app-language selection, translated UI, and account storage.

Custom branding

Panel-controlled app name, login background, splash video, colors, and layouts.

VPN management

Admin-side VPN server management.

Debug protection

Optional debug information while keeping Plex tokens and sensitive direct URLs hidden from normal users.

Production Security Checklist

Use HTTPS for the panel, API, and Plex server.
Change the default admin password immediately.
Generate unique JWT and stream secrets.
Replace all sample database credentials.
Replace any Plex URL/token imported by the SQL file.
Keep debug mode disabled for normal users.
Protect and back up the Android signing keystore.
Restrict database access to the web server.
Keep PHP and MySQL updated.
Back up the database and marker database regularly.
Do not expose config.php, sync keys, or Plex tokens.
Use strong activation codes and expiry dates.

Troubleshooting

Problem	Checks
Database connection failed	Verify DB host, port, name, username, password, privileges, and that the SQL import completed.
Route not found	Use `backend/api/index.php?route=...`, confirm rewrite rules, and verify the uploaded folder paths.
Plex libraries do not load	Test the Plex URL/token in the panel, confirm remote access/firewall rules, then refresh cache.
Images remain black	Confirm Plex image proxy access, token validity, PHP URL/cURL support, cache permissions, and HTTPS certificates.
APK will not update	Rebuild with the same package name and sign it with the exact same keystore/certificate used by the installed app.
App connects to the old server	Decompile the APK again, search all files for `smazze`, replace every old API URL, rebuild, align, and sign it.
Uploads fail	Check `admin/uploads` permissions and PHP upload/post-size limits.
Markers do not transfer	Use a current marker backup containing content identity and duration; ensure series names, season, and episode numbers match.